MOVEit Data Breach

Please contact DMV if you have questions about the data breach that are not answered by the information on this page: 503-945-5000 (Statewide Relay TTY 711).

On June 1, 2023 the Oregon Department of Transportation learned we were part of a global hack of the file transfer tool called MOVEit, which we use to send and receive data. We immediately secured our system. However, we later learned that data records for Oregon driver's licenses, permits and ID cards were accessed.

If you have an active Oregon driver's license, permit, or ID card, you should assume your personal information was exposed. We recommend you take steps now to secure your information to avoid misuse. Information on what you can do to protect your information is described below. This page also includes the consumer notice you are entitled to receive under Oregon law.

Note that your license, permit, or ID is considered active if it is not expired. If you moved and got a new card in another state, your Oregon credential is NOT active—the new card deactivated the old one. You do not have to inform us if you got a new card in another state.

Unfortunately, we are not able to check your DMV customer account or monitor it for suspicious activity. We also cannot change the number on your card unless there is proof that your name and number were used in committing a fraudulent act. If that happens, you should first call police to report the crime.

We understand the data breach may cause our customers worry and concern, and it may require you to take some extra steps to achieve peace of mind. We're working to provide you all the information you need to protect yourself. Come back to this page for details as they become available. You can also bookmark this page for updates.

ODOT continues to analyze data and files accessed by the breach. As we learn more, we will share that information here. Please contact us if you have more detailed questions at 503-945-5000 (Statewide Relay TTY 711).

Please share this page with anyone who needs to know about the breach and how to protect their data.

The Oregon Consumer Information Protection Act (OCIPA)

The Oregon Consumer Information Protection Act (OCIPA), ORS 646A.600 et seq, is Oregon's law that provides safeguards for consumers’ personal information. OCIPA also sets clear direction and expectations for notification of individuals whose personal information is compromised in a breach.

In accordance with OCIPA, we are providing you with information on what happened, and how consumers can protect their identities and monitor against fraud in light of this data breach.

You can download a copy of ODOT's official notification letter about the breach:

What Happened?

On Thursday, June 1, 2023, the State of Oregon became aware of a vulnerability in a third-party software tool. The software tool is called MOVEit, and the vulnerability was disclosed by the company that owns the software, Progress. MOVEit is a tool used to transfer data files. Please know that Oregon DMV will never reach out to a customer and ask them to verify anything by clicking a link or asking for information.
Upon learning of the problem, the Oregon Department of Transportation (ODOT) quickly activated its emergency response procedures. ODOT worked with state cybersecurity professionals to immediately secure affected systems. ODOT also took immediate steps to investigate what, if any, of its information was affected by the vulnerability.
Unfortunately, on Monday, June 12, it was confirmed that the actors behind the hack of MOVEit Transfer accessed ODOT's data. This data contains personal information for approximately 3.5 million Oregonians. Even though the ODOT data was encrypted, it is widely understood that the hackers were able to read the data because of the vulnerability in MOVEit.
On Thursday, June 15th, ODOT notified the public about the MOVEit Transfer breach.

What Information Was Involved?

This information included personal information related to current, credentialed holders of Oregon driver's licenses or identification cards. The information protected by OCIPA is the combination of your first name, your last name, and driver's license or identification card number. This is “personal information" as defined under the Oregon Consumer Information Protection Act (OCIPA), ORS 646A.600 et seq.

This information also included dates of birth, physical addresses, and the last four digits of Social Security numbers. This information did not include banking, credit card or any other financial information. Your entire Social Security number was not part of this data.

What We Are Doing

ODOT is working closely with state cybersecurity services and has engaged a third-party security specialist for forensic analysis. This is a developing, world-wide issue, and ODOT is coordinating with local and federal law enforcement, sharing information as it becomes available and acting upon advisories provided by them. We will continue to closely monitor our systems, as well as vendor and industry information sources with information related to this vulnerability and its after-effects.

Information security and keeping personal information of Oregonians safe is our priority. We constantly update our security protocols to stay current with industry best practices. We will continue to guard against future vulnerabilities.

How You Can Reach Us

If you have any questions or concerns, please call 503-945-5000 (Statewide Relay TTY 711).

What You Can Do

There are immediate steps you can take to protect your information from identity theft. We recommend you actively monitor your account statements and credit reports. You are entitled to a free copy of your credit report once every 12 months from each of the three major credit reporting agencies, Experian, Equifax, and TransUnion.

To order a free report visit www.annualcreditreport.com, call toll free 1-877-322-8228, or contact the bureaus individually:

Equifax Fraud Reporting

1-800-525-6285

P.O. Box 740256

Atlanta, GA 30374

Experian Fraud Reporting

1-888-397-3742

P.O. Box 9554

Allen, TX 75013

TransUnion Fraud Reporting

1-800-680-7289

P.O. Box 2000

Chester, PA 19016-2000

You can also place fraud alerts with the three credit bureaus. Placing a fraud alert at one of the three major credit bureaus notifies the other two to place the same alert on their files for you. A fraud alert tells creditors to take certain steps, including contacting you, before they open any new accounts in your name or change your existing accounts. Placing a fraud alert can protect you, but means it will probably take more time for you to open new credit accounts. There is no charge for this protective measure. An initial fraud alert will last for one year.

If you ever believe you are the victim of identity theft, you should immediately file a police report with your local police department. A police report is often required to dispute fraudulent charges. You can also report suspected incidents of identity theft to local law enforcement, the Oregon Attorney General, and the Federal Trade Commission (FTC). The Oregon Attorney General and the FTC have additional information on preventative measures on their websites. Their contact information is:

Oregon Attorney General

1-877-877-9392

Oregon Department of Justice

1162 Court Street NE

Salem, OR 97301-4096

Federal Trade Commission

1-877-ID-THEFT (877-438-4338)

600 Pennsylvania Avenue, NW

Washington, DC 20580

FAQs

No, DMV systems are secure and we are ready to serve you. We want to reassure customers that our systems were not directly accessed. Files with customer information were accessed due to a vulnerability in the MOVEit third-party software. It is safe to do business with DMV.

If you have an active Oregon driver’s license, permit, or ID card, you should assume your personal information was exposed.

Your license, permit, or ID is considered active if it is not expired.

We don’t know exactly what data was accessed in the breach. However, personal information that is typically associated with a DMV record such as first and last name, date of birth, home mailing address, license or ID number and the last four digits of a Social Security number, may have been exposed.

Only the last four digits. Your entire Social Security number was not part of the data.

No, financial information was not part of any accessed files.

A group calling itself Cl0p is claiming responsibility for the attack on MOVEit software - which impacted thousands of private businesses and government agencies around the world. The FBI is investigating this cybercrime. The best thing you can do is take steps to protect yourself.

We recommend you take steps now to secure your information to avoid misuse.

Step 1: Monitor your credit report. You can request a free copy at www.annualcreditreport.com.

Step 2: You may wish to freeze your credit files with the three credit monitoring agencies for greater security. Follow these links to do that:

Equifax: equifax.com/personal/credit-report-services or 1-800-685-1111.
Experian: experian.com/help or 1-888-397-3742.
TransUnion: transunion.com/credit-help or 1-888-909-8872.

DMV will not change your customer number (the number on your card) unless there is proof that your name and customer number were used in committing a fraudulent act. If that happens, you should first contact law enforcement to report the crime.

If you do have proof that your information was used to commit fraud, visit our identity theft information page to learn what to do next.

If you moved and got a new card in another state, your Oregon credential is NOT active – the new card deactivated the old one. You do not have to inform us if you got a new card in another state.

Contact DMV customer assistance at 503-945-5000 (Statewide Relay TTY 711).

If you do have proof that your information was used to commit fraud, visit our identity theft information page to learn more.

ODOT is working closely with state cybersecurity services and has engaged a third-party security specialist for forensic analysis of the data breach.

We will continue to closely monitor our systems, as well as vendor and industry information sources related to this vulnerability and its after-effects.

Additional security has been installed to DMV’s online service page DMV2U.oregon.gov. This added security may create difficulties for some customers when accessing their DMV profile through DMV2U. Customers who are not able to provide the additional verification now required are encouraged to call DMV customer assistance or visit a DMV office to complete their business.

Federal law gives you the right to get a free copy of your credit report every 12 months from each of the three nationwide credit bureaus. Through December 2023, everyone in the United States also can get a free credit report each week from each of the three credit bureaus at AnnualCreditReport.com.

Also, everyone in the U.S. can get six free credit reports per year from Equifax through 2026 by visiting AnnualCreditReport.com. That’s in addition to the one free Equifax report (plus your Experian and TransUnion reports) that you can get annually at AnnualCreditReport.com.

Read more about free credit reporting on the Federal Trade Commission Free Credit Report information page.

MOVEit Data Breach

The Oregon Consumer Information Protection Act (OCIPA)

What Happened?

How You Can Reach Us

What You Can Do

FAQs

Should I wait to do business with DMV?

How do I know if my information was accessed?

How do I know if my Oregon card is active?

What information from my DMV account was accessed?

Was my Social Security number accessed?

Was my financial information part of the breach?

Do you know who accessed the files?

What should I do to protect myself?

Can I change my DMV customer number?

I moved out of Oregon; was I part of the breach?

What if I see an unexpected change in my DMV profile?

What if I find out someone stole my identity?

What is ODOT doing about the data breach?

How often can I get a free report?